Frequently Asked Question

What is a container registry and how does Docker Hub work?

A registry is the place container images live when nobody is using them: a content- addressed object store with an HTTP API standardised by the OCI distribution-spec. You push an image to give it a tag (myorg/webapp:1.2.3), and any machine that can reach the registry can pull it by that tag and get exactly the same bytes, the manifest and every layer are addressed by SHA-256, so there is no ambiguity about what "1.2.3" actually contains. Internally a registry is mostly a clever frontend for a blob store like S3.

Docker Hub (hub.docker.com) is the original and still the largest public registry, host of official images for almost every major piece of open-source software. But it is no longer alone: GitHub Container Registry (ghcr.io), GitLab Registry, Quay.io (Red Hat), Amazon ECR, Google Artifact Registry, and Azure Container Registry all implement the same OCI distribution API. Many organisations run a private registry (using Harbor, or the open-source registry:2 image, or a hosted equivalent) for internal images and use a public registry for upstream pulls.